Read key vault certificate secrets on Azure Cloud Services (extended support)

This article discusses how to set up an application that's hosted by Microsoft Azure Cloud Services (extended support) so that it can read certificate secrets from a key vault.

Overview

Unlike an application that's hosted in Azure App Service, an application that's hosted by Azure Cloud Services (extended support) must be able to read certificate secrets from a key vault. Although the authentication best practice for Azure Key Vault recommends that you use managed identities, Cloud Services (extended support) doesn't currently support this feature. In Cloud Services (extended support), an application has to employ certificate credentials for application authentication on the Microsoft identity platform.

In your application code, you should use the SecretClient class in the Azure.Security.KeyVault.Secrets namespace. The following table outlines other APIs to use for specific tasks.

Task API Namespace
Fetch the certificate The X509Store.Certificates property System.Security.Cryptography.X509Certificates
Authenticate the certificate The ClientCertificateCredential(String, String, String) class constructor Azure.Identity

The following C# code snippet shows how to read a certificate secret from a key vault into a SecretClient object:

var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadOnly);
X509Certificate2 cert = store.Certificates.OfType<X509Certificate2>().FirstOrDefault(
    x => x.Thumbprint == certificateThumbprint
);
store.Close();

// Fetch tenantID and clientID from App registration.
var credential = new ClientCertificateCredential(tenantID, clientID, cert);
var client = new SecretClient(new Uri(keyVaultUrl), credential);

More information

Contact us for help

If you have questions or need help, create a support request, or ask Azure community support. You can also submit product feedback to Azure feedback community.